The security group of my company perform a web security scan (with WebInspect ), and they found that Set-Cookie does not use HTTPOnly Keyword, and they send me a list of the urls that they find with this vulnerability (In fact, all pages of my Global Payroll Application doesn't use this 'feature' ). I think that this "feature" is on the WebServer, I'm using PeopleTools 8.49.30 And WebSphere 18.104.22.168 ( I try to find where to activate, but I didn't find ). Dou you know How I can enable this "feature" ?
you can see the document ID "ID 985574.1" on Oracle Support to know the answer:
This is fragment of the document:
"PeopleSoft PIA does not support HTTPOnly for cookies. Enhancement request Bug:11521341 has been created with development to request this feature in a future PeopleTools release. This document will be updated when and if this enhancement becomes part of a tools release. As of now, it is still not part of PT 8.52."
It could be implemented on PT 8.53 but you have to wait until the next year...
I found that there some APAR for WebSphere that can solve this, but I need ti Upgrade my WebServer to a new version that is not certificate by oracle. But anyway I already download the Doc Id and I use like a Support at my Audit.